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CrowdStrike Causing Widespread Global Outages 
SUMMARY 


An update pushed out by CrowdStrike within the past 12 hours has caused widespread outages to Windows 
environments where CrowdStrike is installed. This was not an elective update and therefore was applied to 
every endpoint that had internet connectivity at the time. The impact this update caused the infamous Blue 
Screen of Death(BSOD) and will require manual intervention at every device. 


IMPACT 


Millions of end points globally were rendered inoperable, ranging from the 3 largest airlines, delaying flights, 
hospital networks, government agencies, and news networks. Any endpoint with CrowdStrike installed that 
has had internet connectivity within the past 12 hours is likely affected. 


e End-points running older Windows 7 and 2008 R2 were not impacted 
e End-points running Mac or Linux were not impacted. 


The channel file “C-O0000291*.sys” with a timestamp of 0409 UTC is the problem. 


SOLUTION 


Windows Endpoint (BitLocker not enabled) 


1. "Boot Windows into Safe Mode or the Windows Recovery Environment 

2. Use Windows Explorer or the Command Prompt to "Navigate to the 
C:\Windows\System32\drivers\CrowdStrike directory 

3. "Locate the file matching 'C-O000029*.sys', and delete it. 

4. "Boot the host normally." 


Windows Endpoint (BitLocker enabled) 


Boot Windows into Safe Mode or the Windows Recovery Environment 

Navigate to Troubleshoot > Advanced Options > Startup Settings 

Press “Restart” 

Skip the BitLocker recovery key prompt by pressing “Esc” 

Skip the next BitLocker recovery key prompt by selecting “Skip This Device”, in the bottom right 
Navigate to Troubleshoot > Advanced Options > Command Prompt 

Type “bcdedit /set {default} safebook minimal’, then press “Enter” 

Go back to the WinRE main menu and select “Continue” 

The device may cycle 2 to 3 times 

10. If booted into Safe Mode, log in as usual 

11. Use Windows Explorer to "Navigate to the C: \Windows\System32\drivers\CrowdStrike directory 
12. "Locate the file matching 'C-O00000291*.sys', and delete it. 

13. Open Command Prompt as Administrator 

14. Type “bcdedit /deletevalue {default} safeboot”. Then Press “Enter” 

15. Restart as normal 
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Cloud Environment 


Option 1 


1. Detach the operating system disk volume from the impacted virtual server 

Create a snapshot or backup of the disk volume before proceeding further as a precaution against 
unintended changes 

Attach/mount the volume to to a new virtual server 

Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory 

Locate the file matching “C-00000291*.sys”, and delete it. 

Detach the volume from the new virtual server 

Reattach the fixed volume to the impacted virtual server 
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Option 2 
1. Roll back to a snapshot prior to 0409 UTC 
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